SOC It to Me: How to Properly Review a SOC Report
System and Organization Control (SOC) reports have quickly become a standard request for SaaS application providers in order for customers to perform a security due diligence review. So, are all SOC reports the same? No! Should you read the SOC report? Absolutely! How should you properly review a SOC report? Read on 🙂
Background
SOC audits are only performed by a Certified Public Accountant (CPA) firm in accordance with the American Institute of Certified Public Accountants (AICPA) guidelines. The point of the examination is to measure the effectiveness of an organization’s controls and safeguards by an independent third party.
SOC Report Types
There are several types of SOC Reports as seen in the table below. The most often requested is the SOC 2 Type II as it covers a range of trust criteria and is an examination of controls over a period of time.
| Type | Time Period | Details |
| SOC 1 Type I | Point in Time examination | Examines internal controls for financial reporting. |
| SOC 1 Type II | Examination over a period of time | Examines internal controls for financial reporting. |
| SOC 2 Type I | Point in Time examination | Examines internal controls for compliance. Covers some or all of the following trust criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. |
| SOC 2 Type II | Examination over a period of time | Examines internal controls for compliance. Covers some or all of the following trust criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. |
| SOC 3 | Public facing report that is much less detailed and is used for marketing or public distribution. Less detailed version of a SOC 2 Type II. |
Reviewing the SOC 2 Report
While all SOC reports generally have the same format, they vary in thoroughness depending on the auditing firm. Additionally, these examinations are not pass/fail and should be reviewed to fully understand the controls in place within an organization. The examinations cover controls that are in place for the trust criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy) that the customer chooses to be examined on. The auditor chooses a list of controls within audit categories to include for the examination. SOC reports can be over 100 pages long and the following are some areas that a reviewer should focus on.
Company and Scope
It may sound obvious, but a reviewer must ensure that the SOC 2 Type II report is for the solution’s company and solution. There are many times where Software as a Service (SaaS) companies give customers a SOC report for a cloud hosting provider (ex. AWS or Azure) because that’s where the solution is hosted. Unfortunately, the hosting provider SOC reports do not cover these SaaS solutions. Instead, the SaaS solutions should have their own SOC reports.
SOC Report Type
As explained above, there are different types of SOC reports. The SOC 2 Type II is the strongest and is frequently requested.
Trust Criteria
Companies select which trust criteria they want the examination to cover. The options are the following: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Most examinations include at least the Security trust criteria. It is important that the reviewer knows which trust criteria is included and if the auditor states that the trust criteria is met.
Audit Period
SOC 2 Type II reports are examinations of controls over a specific audit period. A reviewer should ensure that the audit period is recent.
Complementary User Entity Controls (CUECs)
SOC reports have a section titled “Complementary User Entity Controls” or CUECs. These are controls that the company states that the customer is responsible for. It is incredibly important that the customer understands what responsibilities the solution provider is putting back on them.
Audit Exceptions & Managers Response
While the audit is not pass/fail, the auditor does state whether certain controls were not present. These are usually listed as “exceptions” in a large table of controls that were reviewed during the examination. If there are any exceptions, the company can provide their explanation in a “Manager’s Response” section at the end of the report. For example, if an audit discovers that an employee’s access was not terminated immediately after dismissal, the company can respond by saying they now have procedures in place to immediately disable access upon any termination.
Audit Detail
Every audit firm is different, and some may perform more comprehensive audits than others. While it can be tough to determine the strength of an audit, a reviewer should read the entire report to understand the level of scrutiny that was performed. For example, a reviewer could see if the auditor reviewed penetration testing reports and see any details that the auditor provided around that control. A company can obtain a SOC report without having great security in place. The auditors should have the expert knowledge to conduct the examination per the specified trust criteria, but unfortunately this is not always the case.
How Can I Automate the Review of a SOC Report?
We get it, you’re busy and often do not have time to thoroughly review a SOC report. While Security professionals are often the individuals responsible for reviewing these reports, this process is not what they were trained for, nor should they have to prioritize these reviews over more pressing cybersecurity tasks. Thankfully there is a solution for this. Stern Security’s Velocity product has automated this entire SOC review process. Instead of spending an hour reviewing the 100+ page report, Velocity analyzes it for you, outputs a summary, and highlights any areas of concern. This is why Velocity is often called “A CISOs Best Friend”. Velocity helps security professionals utilize their time much more efficiently. Sign up for Velocity and start automating these SOC report reviews today.
Conclusion
All SOC reports are different, and each should be thoroughly reviewed to understand coverage, compliance, and areas of concern. Companies can obtain a SOC report without having great security in place. Velocity can automate the SOC report review process in order to make teams more efficient and effective.
